Microsoft Defender for Endpoint: Alert Notification Rules

Alert Notification Rules

Question

Microsoft Defender for Endpoint gives configuration selections for alerts and detections.

These include notifications, custom indicators, and detection rules.

Which filter is a part of an Alert notification rule?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

Incident notifications > Create rule

@ Basics

@ Notification settings

Recipients

Review rule

Notification settings

Alert severity ©

(Select alert severity)

Device group scope [MDE service only] ©

@alidevice groups
Affects all current and future device groups in your organization.

O Selected device groups
Choose device groups to get notifications for

(only notify on first occurrence per incident
include organization name

Ll nclude tenant-specific portal link

When configuring Alert Notification rules in Microsoft Defender for Endpoint, you can choose to filter which alerts should trigger notifications based on specific criteria. One of the available filters for an Alert Notification rule is the Alert Severity filter.

Alert Severity refers to the level of threat associated with an alert. When an alert is generated in Microsoft Defender for Endpoint, it is assigned a severity level based on the potential impact of the threat. The severity levels range from Low to High, with Medium being the default setting for most alerts.

By selecting the Alert Severity filter when creating an Alert Notification rule, you can specify which severity levels should trigger a notification. For example, you might choose to receive notifications only for alerts with a High severity level, as these indicate a particularly serious threat. Alternatively, you might choose to receive notifications for all alerts, regardless of severity.

The other options mentioned in the question, Subject IDs, Account, and Alert IDs, are not filters that are typically part of an Alert Notification rule. However, they can be useful for identifying specific alerts or groups of alerts when reviewing the alert history in Microsoft Defender for Endpoint.

  • Subject IDs refer to the user or device that was involved in the alert.
  • Account refers to the account or application that triggered the alert.
  • Alert IDs are unique identifiers assigned to each alert by Microsoft Defender for Endpoint, and can be used to search for and review specific alerts in the console.

Overall, when configuring Alert Notification rules in Microsoft Defender for Endpoint, it's important to consider which filters will be most useful for your organization's specific needs, and to adjust these settings as necessary over time to ensure that you are receiving timely and relevant alerts about potential threats.